Over the years, I’ve counseled numerous information security leaders on how to assign a monetary value to a security solution. It’s important to be able to speak in terms of protecting asset value because that is the language of the board of directors and other executive leaders who must approve a significant expense.

In many of these organizations, the security team has found a problem or discovered a serious vulnerability and they automatically think, “What’s the solution, what should we have in place?” They go out, do an RFP and buy a solution which they put in place to fix one particular problem. They never really take a good risk-based approach of the issue. What ends up happening is that the organization spends a dollar to save a nickel.

I look at the situation from a different perspective and ask, “Do we have the basics done first?” In information security, as in any effort, you’ve got to have the basics down before you can excel in what you are doing.

How you do that is by having a good Information Security Program inclusive of data and asset classification. This means you are going to have asset value labeled, you are going to have your data classification done. You are going to know where the crown jewels are in your organization so that, if you are looking at buying a new security solution, you can put an asset value to it and say, “What is this solution going to be protecting? Is this specific product expensive versus what I’m trying to protect everything from?” This enables you to look at the decision a little bit more quantitatively.

First, some basic terminology

Let’s review some basic terminology and how financial values are calculated.

Asset Classification – In terms of information security, assets encompass data, the hardware which processes it and the media on which it is stored. Asset classification is the process of grouping assets according to the level of impact to the organization if confidentiality, integrity or availability is compromised.

Data Classification – Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). For example, data might be classified as public, internal, confidential (or highly confidential), restricted, regulatory, or top secret.

Asset Value (AV) – Coming up with an accurate valuation of an information asset is a complex task that is best left to the owner of the asset. One measure of an asset’s quantitative value is the replacement value—how much it would cost to acquire the asset today. The replacement cost of a piece of hardware is easy to determine; for data, not so much.

Exposure Factor (EF) – This is the measure or percent of damage that a realized threat would have on a specific asset. Another way to look at exposure factor is how wide the loss is, or how many people/records/assets are affected. For example, a data breach might expose 10,000 customer records.

Single Loss Expectancy (SLE) – This value is calculated by multiplying the Asset Value by the Exposure Factor. Say that a single customer record has a quantitative value of $275. If 10,000 records are breached, the Single Loss Expectancy is $275 x 10,000, or $2,750,000.

Annual Rate of Occurrence (ARO) – The ARO is the ratio of the estimated possibility that the threat will take place in a 1-year time frame. The ARO can be expressed as 0.0 if the threat will never occur, all the way up to 1.0 if the threat will always occur. For example, the ARO for a workstation virus might be set to 1.0, whereas a power outage to the network operations center that might occur once every 4 years would have an ARO of 0.25.

Annual Loss Expectancy (ALE) – This value is the product of the annual rate of occurrence (ARO) and the single loss expectancy. Suppose you expect that a workstation will be infected with malware, and the cost to remediate the problem is $25,000. For an annual rate of occurrence of one, the annualized loss expectancy is 1 x $25,000, or $25,000.

The formula to calculate ALE is as follows:

AV x EF = SLE

SLE x ARO = ALE

Is the proposed solution worth the financial cost?

If you do the basics, understand your AV and EF, and calculate the SLE and ARO, then you can discern the value of putting funding into a particular solution based on your ALE and risk tolerance. Basically, if the annual cost of the solution is less than the ALE – which the solution must reduce or eliminate – then funding the solution seems to be worthwhile.

If you can put those numbers together quantitatively, that’s going to give you a really good benchmark to go to your board or your senior leadership team and ask for funding for a particular solution. Or, to justify the cost for a particular solution, it helps you explain why you’re spending money in a particular area as opposed to another. Every organization has different risk tolerance and it’s important to make sure you’re aligned with what your organization’s tolerance level is.

It may well be that the calculated ALE is within your tolerance of acceptable financial loss as an organization. Then maybe you don’t need to put a security product in place at all. On the other hand, if the ALE number is high, then it might be worth looking at deploying a best-in-class product, or something that’s really going to be tailored to mitigate that risk. It all comes down to your organization’s tolerance for risk.

It’s worth noting that these loss expectancy values do not include your other fiduciary responsibilities such as incident response, regulatory fines, breach notifications, credit monitoring for customers whose personal data was compromised, etc.

The end result

Once you’ve gone through the exercise of looking at asset values and loss expectancy, and after you’ve done your RFP and vetted out other vendors, you should have some sort of dollar value assigned to the security solution that you are thinking of acquiring. You’ve got a justifiable example, with meat on the bone to actually show why this product or this solution is viable. You can take that to the board for discussion and/or approval. You can give the reasons why you want the solution and how it affects the board and the company, and what you’re doing to help protect and strengthen the security posture of the organization.

The post How to Assign a Monetary Value to a Security Solution appeared first on Security Current.

We have all read and probably even lived the statistics. ISACA claims there will be a global shortage of two million cyber security professionals by 2019. Every year in the U.S., 40,000 jobs for information security analysts go unfilled. Maybe some of those positions are in your organization.

It’s tough for all of us who want skilled people with the right information security expertise to help us protect our businesses. Those people are in high demand, and unless we have unlimited budgets, we might not be able to attract and retain them—but that doesn’t mean our openings have to go unfilled. Sometimes it just takes some flexibility to build out a good, solid team.

Here are a few ideas that I have put into practice to ensure that my company doesn’t go wanting for the information security professionals we need.

Cultivate knowledge-in-depth just as you do defense-in-depth

As a leader or manager, it’s important to be trusting, to be smart in who you hire and then know that those individuals that you’re hiring are capable of doing even more than what they were originally intended for. There’s a lot of benefit in teaching people new skills through having them train for different job roles.

I make a point to cross-train the people in my own organization. I never want to have just one person filling a role. I’ve got my primary employees for each of the areas of information security; and then I make sure I have a secondary individual who trains up for the role. Maybe this person doesn’t even have experience in that role, but the cross-training provides a great way to get that individual ready to step into the role, temporarily or permanently, if the need arises. Just as we apply defense-in-depth, we should cultivate knowledge-in-depth as well. That way you should be able to avoid having an unfilled opening that impacts your mission.

Passion for a job puts perfection in the work

Steve Jobs is credited with saying, “The only way to do great work is to love what you do.” This is why I never overlook people who have a passion for information security, even if they don’t have all the qualifications I’m looking for. I’m a classic example of that philosophy; I started my career in sales, but my passion for information technology eventually brought me into IT and then information security.

I like to hire from within and it’s always great to have individuals from other business areas that have an interest in security that you wouldn’t otherwise know, and have them come in and talk. If we have an opening and it fits the role and responsibilities and the person’s qualifications, I would love to bring someone in from another area that has that passion. I can teach anybody any of the tools, the techniques, the processes and the programs; I can’t teach passion. If the individual has that fire and likes having a coach rather than a manager, then we can do a lot of great things together. That’s how I am personally, so I look for people that are like that as well.

Even coming from outside the organization, if someone shows the interest and the drive to learn a certain function – if it’s information security or even IT, for that matter – I like to give them a chance if they really want the job. There are people who want the ball, and they’ll take the ball and they’ll go. They will work really hard for you and they will be a good asset to your team.

Location, location, location is important in real estate but not in information security

Information technology provides a lot of flexibility in the way that people work today. The old work philosophy used to be “butts in seats,” where everyone had to be at their desk, in their office, from open to close, every work day. Of course, that no longer applies today for many types of workers. To attract and retain good talent, it’s important to be flexible and know that people want a work/ life balance, and that they need to work from home or other remote locations. That’s why we have VPN. If they need or want to work remotely, that’s okay by me.

I have two individuals on my team that work in other cities. I manage them just as closely as I do the people who work in my office location. Our working relationship is based on trust. What’s more, I don’t want to manage people and things more than I have to. I’ve got enough on my plate; so, what I try to do is hire really good and talented people. I give them some direction, tell them this is the area we want to focus on, and then get out of the way. I let them take care of their jobs and I watch and see how it goes the first few months. But, once that fly wheel gets moving on their end, they feel a sense of ownership—“this is my program, this is my space.”

It doesn’t really matter where people do their work, as long as they get it done. Giving someone the flexibility to work outside the regular office setting can be the difference between hiring a great team member and missing out on a resource you really need and want.

Summary

The shortage of information security professionals is projected to continue for years to come. To recruit and retain a good workforce, you have to be flexible and creative in selecting and cross-training people.

The post Ideas for Overcoming a Security Talent Shortage appeared first on Security Current.